Tytuł artykułu
Autorzy
Treść / Zawartość
Pełne teksty:
Identyfikatory
Warianty tytułu
Języki publikacji
Abstrakty
Honeypot still plays an important role in network security, especially in analyzing attack type and defining attacker patterns. Previous research has mainly focused on detecting attack pattern while categorization of type has not yet been-comprehensively discussed. Nowadays, the web application is the most common and popular way for users to gather information, but it also invites attackers to assault the system. Therefore, deployment of a web honeypot is important and its forensic analysis is urgently required. In this paper, authors propose attack type analysis from web honeypot log for forensic purposes. Every log is represented as a vertex in a graph. Then a custom agglomerative clustering to categorize attack type based on PHP-IDS rules is deployed. A visualization of large graphs is also provided since the actual logs contain tens of thousands of rows of records. The experimental results show that the proposed model can help forensic investigators examine a web honeypot log more precisely.
Rocznik
Tom
Strony
60--65
Opis fizyczny
Bibliogr. 30 poz., rys., tab.
Twórcy
autor
- Department of Informatics, Institut Teknologi Sepuluh Nopember (ITS), Surabaya, Indonesia
autor
- Department of Informatics, Institut Teknologi Sepuluh Nopember (ITS), Surabaya, Indonesia
autor
- Department of Informatics, Institut Teknologi Sepuluh Nopember (ITS), Surabaya, Indonesia
Bibliografia
- [1] L. Spitzner, Honeypots: Tracking Hackers. Boston: Addison-Wesley Longman Publish., 2002.
- [2] A. Yasinsac and Y. Manzano, “Honeytraps: A network forensic tool”, in Proc. World Multiconf. System., Cybernet. & Informat. SCI 2002, Orlando, FL, USA, 2002.
- [3] F. Pouget and M. Dacier, “Honeypot-based forensics”, in Proc. AusCERT Asia Pacific Inform. Technol. Secur. Conf. AusCERT2004, Gold Coast, Australia, 2004.
- [4] F. Raynal, Y. Berthier, P. Biondi, and D. Kaminsky, “Honeypot forensics, part I: Analyzing the network”, IEEE Secur. Privacy, vol. 2, no. 4, pp. 72–78, 2004.
- [5] F. Raynal, Y. Berthier, P. Biondi, and D. Kaminsky, “Honeypot forensics, part II: Analyzing the compromised host”, IEEE Secur. Privacy, vol. 2, no. 5, pp. 77–80, 2004.
- [6] K. D. Fairbanks, C. P. Lee, Y. H. Xia, and H. L. Owen, “Timekeeper: a metadata archiving method for honeypot forensics”, in Proc. Inform. Assurance & Secur. Worksh. IAW’07, West Point, NY, USA pp. 114–118, 2007.
- [7] P. T. Chen, C. S. Laih, F. Pouget, and M. Dacier, “Comparative survey of local honeypot sensors to assist network forensics”, in Proc. 1st Int. Worksh. System. Approach. to Digit. Forensic Engin. SADFE’05, Taipei, Taiwan, 2005, pp. 120–132.
- [8] V. Maheswari and P. E. Sankaranarayanan, “Honeypots: Deployment and data forensic analysis”, in Proc. Int. Conf. Computational Intellig. & Multimed. Appl., Sivakasi, Tamil Nadu, 2007, vol. 4, pp. 129–131.
- [9] S. Riebach, E. P. Rathgeb, and B. Toedtmann, “Efficient deployment of honeynets for statistical and forensic analysis of attacks from the Internet”, in NETWORKING 2005. Networking Technologies, Services, and Protocols; Performance of Computer and Communication Networks; Mobile and Wireless Communications Systems, R. Boutaba, K. Almeroth, R. Puigjaner, S. Shen, and J. P. Black, Eds., LNCS, vol. 3462, pp. 756–767. Springer, 2005.
- [10] W. Ren and H. Jin, “Honeynet based distributed adaptive net- work forensics and active real time investigation”, in Proc. 20th ACM Symp. Appl. Comput. SAC 2005, Santa Fe, NM, USA, 2005, pp. 302–303.
- [11] A. Capalik, “Next-generation honeynet technology with real-time forensics for U.S. defense”, in Proc. IEEE Milit. Commun. Conf. MILCOM 2007, Orlando, FL, USA, 2007, pp. 1–7.
- [12] O. Thonnard and M. Dacier, “A framework for attack patterns’ discovery in honeynet data”, Digit. Investig., vol. 5 (Supplement), pp. S128–S139, 2008.
- [13] V. H. Pham and M. Dacier, “Honeypot trace forensics: The observation viewpoint matters”, Future Gener. Comp. Syst., vol. 27, no. 5, pp. 539–546, 2011.
- [14] Q. Nasir and Z. A. Al-Mousa, “Honeypots aiding network forensics: Challenges and notions”, J. Commun., vol. 8, no. 11, pp. 700–707, 2013.
- [15] C. Pohl, A. Zugenmaier, M. Meier, and H. Hof, “B.Hive: A zero configuration forms honeypot for productive web applications”, in ICT Systems Security and Privacy Protection, IFIP Advances in Information and Communication Technology, vol. 455, pp. 267–280. Springer, 2015.
- [16] K. Cabaj, and P. Gawkowski, “Systemy HoneyPot w praktyce (HoneyPot systems in practice)”, Przegląd Elektrotechniczny, vol. 91, no. 2, pp. 63–67, 2015 (in Polish) (doi: 10.15199/48.2015.OZ.16).
- [17] C. Valli, “Visualisation of honeypot data using Graphviz and Afterglow”, J. Digit. Forensic, Secur. & Law, vol. 4, no. 2, pp. 27–38, 2011.
- [18] K. Cabaj, “Visualization as support for web honeypot data analysis”, Inform. Systems in Manag., vol. 4, no. 1, pp. 14–25, 2015.
- [19] A. Chuvakin, “Free honeynet log data for research”, The Honeynet Project [Online]. Available: https://www.honeynet.org/node/456
- [20] MaxMind, “GeoIP Legacy C API” [Online]. Available: https://github.com/maxmind/geoip-api-c
- [21] Applied Security, “Pure Python API for Maxmind’s binary GeoIP databases” [Online]. Available: https://github.com/appliedsec/pygeoip
- [22] Y. Hu, “Efficient, high-quality force-directed graph drawing”, Mathematica J., vol. 10, no. 1, pp. 37–71, 2005.
- [23] M. Bastian, S. Heymann, and M. Jacomy, “Gephi: An open source software for exploring and manipulating networks”, in Proc. 3rd Int. AAAI Conf. on Weblogs & Soc. Media, San Jose, CA, USA, 2009, pp. 361–362.
- [24] PHP-IDS, “PHP-Intrusion Detection System” [Online]. Available: https://github.com/PHPIDS/PHPIDS
- [25] R. Gaucher, “Apache Scalp: Apache log analyzer for security” [On-line]. Available: https://code.google.com/p/apache-scalp/
- [26] S. Martin, W. M. Brown, R. Klavans, and K. W. Boyack, “OpenOrd: An open-source toolbox for large graph layout”, Proc. of SPIE, Visualization and Data Analysis, San Francisco, CA, USA, 2011, vol. 7868, pp. 786806–786806, 2011.
- [27] Sigma.js, “JavaScript library dedicated to graph drawing” [Online]. Available: http://sigmajs.org/
- [28] G. Csardi and T. Nepusz, “The igraph software package for complex network research”, InterJournal Complex Systems, vol. 1695(5), pp. 1–9, 2006.
- [29] S. Hale, “Sigmajs exporter – Gephi marketplace” [Online]. Available: https://marketplace.gephi.org/plugin/sigmajs-exporter/
- [30] SpiderLabs, OWASP ModSecurity Core Rule Set (CRS) [Online]. Available: https://github.com/SpiderLabs/owasp-modsecurity-crs
Typ dokumentu
Bibliografia
Identyfikator YADDA
bwmeta1.element.baztech-20fddc02-4005-45ab-8350-44ecf6835344